Motivation

As described in the official announcement, the new Trusted Publishing feature greatly enhances package publishing security on NuGet.org.

We successfully tested this approach with our own NuGet library:

• GitHub Actions run example
• Corresponding commit

Required changes in this repository

Recommendation followed from announcement:
For security, always use a GitHub secret like ${{ secrets.NUGET_USER }} for your NuGet.org username (profile name), not your email address.

• Add secrets.NUGET_USER to this repository, using the NuGet.org username (profile name) of the package owner (abergs in this case).
• The old secrets.NUGET_API_KEY secret can be removed from this repository and also from the NuGet.org account if it was only used here.

One-time configuration on NuGet.org

According to the documentation:

1. Sign in to NuGet.org.
2. Open your user menu (top-right) → Trusted Publishing (next to "API Keys").
3. Create a policy:
   • Package owner: you or your organization (e.g. abergs).
   • Repository owner: your GitHub org/user (e.g. passwordless-lib).
   • Repository name: repository name (e.g. fido2-net-lib).
   • Workflow file: the YAML file under .github/workflows/ (e.g. main.yml).
   • Environment (optional): specify if your workflow uses GitHub Actions environments.

This setup eliminates the need for long-lived API keys and improves the overall security of the publishing process.